ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mtop-devtools-socket

v1.0.0

通过本地 socket 调用 Mtop DevTools 浏览器插件能力(获取请求/日志/埋点、设置 mock、获取 API schema、代理 HTTP 请求、浏览器操作与页面感知)

0· 64·0 current·0 all-time
by徒言@f-loat

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for f-loat/mtop-devtools-socket.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "mtop-devtools-socket" (f-loat/mtop-devtools-socket) from ClawHub.
Skill page: https://clawhub.ai/f-loat/mtop-devtools-socket
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install mtop-devtools-socket

ClawHub CLI

Package manager switcher

npx clawhub@latest install mtop-devtools-socket
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state a local-socket interface to the Mtop DevTools extension; the SKILL.md and README describe Native Messaging, a CLI, and browser control features (requests, logs, mocks, proxy, page ops) that align with that purpose.
Instruction Scope
SKILL.md instructs installation of a native host and CLI and gives commands that will: execute arbitrary JS in page context (page_eval), read page DOM/accessible snapshot, capture screenshots, read and use browser cookies for signing/proxying, upload local files, and add declarativeNetRequest rules (redirect/modify/block). These are expected for a DevTools control tool but are powerful and enable data access/exfiltration if misused.
Install Mechanism
This is an instruction-only skill (no install spec). It tells users to run npm -g install of @mtop-devtools/native-host and @mtop-devtools/client. That is a reasonable install approach for a native messaging host but implies installing third-party global packages and registering a native host manifest (may require elevated privileges and writing system dirs). The skill does not auto-download or execute code itself.
Credentials
The skill requires no environment variables or external credentials in metadata. However runtime behavior explicitly depends on sensitive browser state: it reads cookies (_m_h5_tk, m_tk, _tb_token_) to sign/send mtop requests, automatically attaches browser cookies to proxied requests, and can be directed to read local file paths for uploads or payload files. These sensitive accesses are coherent with the skill's purpose but should be treated as high-privilege operations.
Persistence & Privilege
The skill is not always:true and does not request permanent platform-level presence. It recommends installing a native host and CLI which will register a native messaging host and a global command via npm -g; that is appropriate for the stated functionality and is performed by the user during setup.
Assessment
This skill appears to do what it says: control a browser DevTools extension via a local native host. Before installing or using it, be aware that it deliberately accesses sensitive browser state and local files: it can read cookies (used for signing/auth), capture page contents and screenshots, run arbitrary JS in pages, proxy requests with browser cookies, add redirect/modify rules, and upload local files. Only install the npm packages if you trust their publisher; registering a native messaging host may require sudo and writes system config. Avoid using this on accounts or pages containing sensitive data unless you trust the extension and CLI source; review the @mtop-devtools packages on npm/GitHub and the browser extension source if possible. If you will grant agent autonomy, consider restricting its scope because these capabilities could be misused to exfiltrate data or redirect traffic.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avjz7v35k671hv4e7yt5avs84rtmk
64downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
徒言@f-loat
latest
Download

Mtop DevTools Socket 技能

📦 前置条件

使用本技能前,需要先安装 Mtop DevTools 浏览器插件。安装完成后,打开 Chrome DevTools 应能看到 Mtop Viewer 标签页。

如果连接失败,CLI 会自动提示插件安装地址,无需记忆。

🚀 快速开始

第 1 步:安装依赖(仅首次)

首次使用前,安装 Native Messaging Host 和 CLI 工具:

npm install -g @mtop-devtools/native-host @mtop-devtools/client

安装 @mtop-devtools/native-host 时会自动完成 Native Messaging 初始化。如需手动初始化或指定自定义扩展 ID,运行 mtop-devtools-native-host initialize [--extension-id <id>]

第 2 步:连接并使用

安装完成后即可直接调用。如果连接失败,可打开 DevTools 切换到 Mtop Viewer 面板手动触发建联:

mtop-devtools get_requests --payload '{"count": 5}'
mtop-devtools get_logs --payload '{"limit": 10}'

🎯 意图识别与支持的操作

根据用户的描述,选择对应的操作和参数:

API 调试

用户说的话(示例)操作说明
获取最近的请求、看下刚才发了什么get_requests获取请求,默认返回 panel 当前模式(mtop 或普通请求)
获取 mtop 接口请求get_requests + source: "mtop"强制获取 mtop 接口
获取普通 HTTP 请求(xhr/fetch)get_requests + source: "requests"强制获取非 mtop 请求
看下控制台日志、报了什么错get_logs获取浏览器控制台日志
看下埋点数据、RUM 事件、aplus 上报了什么get_events获取 RUM/aplus 埋点事件
获取接口 schema、接口出入参是什么get_api_schema获取 API 接口 schema,可选择返回 schema、hsf 或全部

Mock & 请求规则

用户说的话(示例)操作说明
mock 掉某个接口、让接口返回 xxxset_mock设置 API mock 数据
查看当前有哪些 mockget_mocks查看当前生效的 mock
添加请求规则、重定向请求、修改请求头、拦截请求add_rule添加 Chrome declarativeNetRequest 规则

网络请求代理

用户说的话(示例)操作说明
调用某个接口、带上 Cookie 发一个 HTTP 请求proxy_request代理请求,自动携带浏览器 Cookie
调用某个 mtop 接口、发一个 mtop 请求send_mtop_request在页面上下文中发起 mtop 请求,自动处理签名和 token

浏览器操作

用户说的话(示例)操作说明
打开一个页面、新建标签页tab_open在浏览器中打开新 Tab 并等待加载完成
关闭标签页tab_close关闭指定 tabId 的标签页
列出所有标签页、看下打开了哪些页面tab_list获取当前窗口所有标签页列表
点击按钮、点击元素、点一下某个东西page_click点击页面元素,支持 JS 点击和 CDP 真实鼠标点击
输入文字、填写表单、在输入框里输入page_type向输入框填写文本,兼容 React 受控组件
滚动页面、翻到底部、往下翻page_scroll滚动页面,支持 up/down/top/bottom 四个方向
执行 JS、在页面上运行脚本page_eval在页面上下文中执行任意 JavaScript 表达式
按键、按回车、按 Tabpage_press在页面中按下键盘按键(Enter/Tab/Escape 等)
等待页面加载、等元素出现page_wait等待指定时间或等待某个元素出现
在当前标签页导航、跳转页面page_navigate在当前标签页内导航到新 URL
上传文件、选择文件、文件上传page_upload<input type="file"> 元素上传本地文件

页面感知

用户说的话(示例)操作说明
获取页面结构、看下页面上有什么元素、页面快照page_snapshot获取页面无障碍树快照,返回所有可交互元素的结构化文本
截图、获取当前页面截图、看一下页面长什么样get_screenshot获取当前浏览器标签页的页面截图
获取选中元素、看一下这个元素的布局/样式、分析元素get_selected_element获取 Elements 面板当前选中元素的详细信息

📚 参考文档

Comments

Loading comments...